Question

So I cleaned up some malicious PHP scripts from a client's site and I've been monitoring for follow up connections to the scripts. Of course, I've found a LOT of IPs requesting the files. Too many to try and blacklist and too many different netblocks to block at a high level.

I'm thinking about redirecting all subsequent requests for the files to some kind of blackhole/tarpit/honeypot/bad guy reporting system, but I'm not sure if such a thing exists for HTTP traffic.

Ideally, I could redirect these IPs to the Internet police and they would be subject to investigation and stern talking to's, but I doubt a system like that exists due to it's potential for abuse

Answer 1

I'm afraid all those IPs are nothing but victims clicking on phished/malicious links.

Your client was hacked and malicious scripts were hosted on their server in order to infect inconspicuous victims. Whether you like it or not, your client contributed to spread malware.

The next step for you is to just serve a 404 Not Found on those requests and make sure your customer doesn't help spreading malware again. If you like you could just setup a 301 or a 302 pointing to a law enforcement site or serve a static page telling your visitors that they probably just clicked on a phishing/malicious email link.

As per your initial question, any tarpit (e.g. keeping TCP sessions open) you setup on a webserver will only slow your server down more than those guys. Seriously, there's no point on doing that.